Configure a Rsyslog, Filebeat, or Winlogbeat data input in Health Log Analytics manually

  • リリースバージョン: Australia
  • 更新日 2026年03月12日
  • 所要時間:13分

    • Set up a data input for streaming log messages to your ServiceNow instance using an Rsyslog, Filebeat, or Winlogbeat agent.

    始める前に

    • Verify that a MID Server is installed and configured with the Log Ingestion capability enabled. For more information, see MID Server system requirements.

      MID Server configuration with Log Ingestion capability enabled.

      重要:
      Health Log Analytics does not support IPv6. To work with the application, configure the MID Server to IPv4.
    • Unless the MID Server and external clients are on the same network, the MID Server must have a public IP address. This is required when its IP is exposed through network address translation (NAT), a load balancer, or a similar device. The public IP address enables external clients, such as Filebeat agents located outside its network, to reach the MID Server. Private IP addresses are not routable over the internet. Without a public IP, external clients cannot connect to the MID Server even if they are configured with its address. In the MID Server properties, add a property named mid.public_ip with the public IP address as the value. For more information, see Create a MID Server property. If the MID Server and external clients are on the same network, connections can be made using the private IP address.
    • For shipping your logs encrypted using SSL TLS, see the Streaming Data With Rsyslog & Filebeat Using SSL [KB0866319] article in the Now Support Knowledge Base.

    Role required: evt_mgmt_admin

    手順

    1. Navigate to All > Health Log Analytics > Data Input > Data Inputs.
    2. On the Data Inputs page, select New.
    3. Choose the data input type to create from the available data input types described in the table.
      注:
      The selected data input type complements the passive data input (listener). For more information, see Supported data inputs.
      表 : 1. Data input types
      Type Description
      Rsyslog Streams log messages from UNIX-based servers to the ServiceNow AI engine using the Rsyslog agent.
      Linux using Filebeat Streams system log messages and local files from Linux servers to the instance using the Filebeat agent.
      Windows Application Logs using Filebeat Streams local files from Microsoft Windows devices to the ServiceNow instance using the Filebeat agent.
      Windows OS using Winlogbeat Streams Windows event logs to the ServiceNow instance using the Winlogbeat agent.
    4. On the Getting Started tab, fill in the form.

      For a description of the fields, see Rsyslog, Filebeat, or Winlogbeat data input configuration fields.

      注:
      When creating a data input for Linux using Filebeat, you can select a content pack from the Content pack drop-down. The content pack contains default source types and mapping script templates that save you the time it takes to create them from scratch. For more information, see Health Log Analytics content packs for quicker time to value.
    5. If the Rsyslog, Filebeat, or Winlogbeat agent has not already been installed, download and install it from the Installation tab.
      For installation instructions, refer to the product documentation of the respective agent.
      注:
      Make sure that you’re running the latest version of the agent. Earlier versions will work, but with limited functionality.
    6. On the Tagging and Binding tab, assign logs to an service instance in the Configuration Management Database (CMDB) to enable the service to correlate the log data and enable the system to do root cause analysis.
      1. For each source, configure the path and service instance for the logs to be streamed.
        注:
        By default, only the required fields Path and Service instance appear.

        For a description of the fields, see Rsyslog, Filebeat, or Winlogbeat data input configuration fields.

      2. If you want to ship multiline logs using Filebeat, configure the properties that control how Filebeat handles messages that span multiple lines of text.
        Field Description
        Match Specifies how Filebeat combines matching lines into an event.
        Negate Defines whether the pattern identified in the log lines is negated.
        Regex Specifies the regular expression to match.
        注:
        Health Log Analytics currently doesn't support multiline properties for Rsyslog.
      3. オプション: Define additional log paths to enable the data input to stream log types from multiple paths.
        Do the following for each additional log path:
        1. Insert a new row.
        2. Configure the log path.
        3. Choose a service instance.
        4. (Optional) Choose a component and a source type.
        注:
        This option is not available or necessary when using Winlogbeat, because Health Log Analytics streams the Windows event logs.
    7. On the Finish tab, complete the configuration for your data input type.
      • Rsyslog:
        1. Download the configuration file and install it on the endpoint device, in the /etc/rsyslog.d/rsyslog.conf directory.
          注:
          If you are using the Health Log Analytics application, Version 20.0.11 - July 2021, available from the ServiceNow Store , do the following instead:
          1. On the endpoint device, install the configuration file in the /etc/rsyslog.d/ directory.
          2. Create a spool directory by running the sudo mkdir -p/var/spool/rsyslog command.
        2. Validate the configuration by running the rsyslogd -N1 command and verify the output.
        3. Restart Rsyslog by running the sudo systemctl restart rsyslog command.
        4. Verify the output. If it contains errors, check the /var/log/messages system log file for error messages and fix the errors.
      • Linux using Filebeat:
        1. Download the configuration file and install it on the endpoint device, in the /etc/filebeat/ directory.
        2. Start the agent service by running the sudo service filebeat start command.
          注:
          The generated configuration ignores files that were last changed more than six hours ago. If needed, you can change this setting in the configuration.
        3. Restart the agent service by running the appropriate command.
      • Windows using Beats (Filebeat or Winlogbeat):
        1. Download the configuration file and install it on the endpoint device, in the C:\Program Files\ directory.
        2. Start the agent service by running the appropriate command in PowerShell.
          • Filebeat: PS > Start-Service filebeat
          • Winlogbeat: PS > Start-Service winlogbeat
          注:
          The generated configuration ignores files that were last changed more than six hours ago. If needed, you can change this setting in the configuration.
        3. Restart the agent service by running the appropriate command.
    8. Select Save.
      Health Log Analytics adds the data input record to the Data Inputs table.
    9. Verify that the data input is configured correctly by selecting Test connection.

      Health Log Analytics tries to connect the MID Server to the data repository.

      • If the connection was established, the Test connection button is turned off and the Publish button is enabled.
      • If the connection failed, the reason for the failure displays in the Error message field. This field displays only when a streaming error has occurred.

        Resolve the issue, select Save if you modified the configuration, and then select Test connection to test the connection again.

        注:
        You can only publish the data input configuration when the connection is created successfully.
      注:
      You can revert to the last published configuration by selecting Revert Changes. This option is available only when you're modifying a configuration that has been published previously.
    10. Select Publish to publish the data input to the MID Server.

    タスクの結果

    The data input configuration process is complete. Health Log Analytics adds the data input record to the Data Inputs table and attaches the configuration file to the data input record. The data input starts streaming log data to your ServiceNow instance.

    注:
    The configuration file Health Log Analytics generates for new Filebeat data inputs is compatible with Filebeat version 7.14 and above. The minimum Filebeat version that Elasticsearch currently supports is 7.17, which is nearing its end of life (EOL).

    Existing Filebeat data input configuration files in HLA are compatible with Filebeat versions up to 8.x. For Filebeat version 9.0 and above, either migrate from log input to filestream input or generate a new configuration file. For more information on the migration process, refer to the Filebeat documentation.

    注:
    If the HLA engine is down and data has stopped streaming, a notification appears at the top of the data input configuration page. When this happens, contact ServiceNow support.

    次のタスク

    Make sure that the data input is streaming data.